You’re trying to bridge modern OAuth (Azure AD + PKCE) with a legacy WCF + STS token model—and that’s exactly where custom connectors in Microsoft Power Apps / Microsoft Power Automate start to hit limitations.
What’s really happening
Your flow is:
- Authenticate via Microsoft Entra ID (OAuth2 + PKCE)
- Call STS → get security token
- Call WCF SOAP service using that token
Problem:
- Custom connectors support OAuth2
- But do NOT support multi-step token exchange flows (STS chaining)
Key limitation
Power Platform custom connectors cannot dynamically:
- Call STS
- Extract token
- Inject into next request (SOAP header)
Especially with:
- SOAP + WS-Security headers
- Token transformation
Recommended architecture (best practice)
Use a middleware layer (MANDATORY for your scenario)
Build a wrapper using:
- Azure Functions (best)
- Azure API Management
Architecture flow
Power Apps / Power Automate
↓
Custom Connector (OAuth2 only)
↓
Azure Function / APIM
↓
1. Get STS Token
2. Call WCF SOAP
3. Return response
How to implement (step-by-step)
Step 1: Custom Connector (simple)
- Use OAuth2 (Azure AD)
- Expose only:
- Clean REST endpoints (not SOAP)
Step 2: Azure Function (core logic)
Inside function:
1. Acquire AAD token
(using Managed Identity or On-Behalf-Of)
2. Call STS endpoint
// pseudo
- var stsToken = CallSTS(aadToken);
3. Call WCF SOAP service
Build SOAP envelope
Inject STS token into header
4. Return JSON response
Step 3: Transform SOAP → REST
Important:
- Power Apps works best with JSON
- Convert SOAP response → JSON
Custom connectors alone cannot handle OAuth + STS + SOAP chaining
→ You need a middleware layer (Azure Function or APIM)
